[英]With a stack like Vue JS and .Net Core Web API - where do I implement auth (Azure AD)?
I'm confused on 'where' (as in which layer, if not both) I am to implement authentication with Azure AD in my app.我对“在哪里”(如果不是两者都在哪一层)感到困惑,我将在我的应用程序中使用 Azure AD 实现身份验证。
So I have a Vue JS front end, and I've read about how I can leverage ADAL JS to help with auth from the client.所以我有一个 Vue JS 前端,并且我已经阅读了有关如何利用 ADAL JS 来帮助客户端进行身份验证的信息。
However, I need calls to my web API to also be secured, and that's obviously not done with ADAL JS.但是,我还需要保护对我的 web API 的调用,这显然不是 ADAL JS 完成的。
How can I restrict calls to my web api to only users that are authenticated (they will need to login via the vue js app) using Azure AD?如何限制对我的 web api 的调用仅限于使用 Azure AD 进行身份验证的用户(他们需要通过 vue js 应用程序登录)? And then, similarly, allow web api to authenticate with Azure AD in order to retrieve things from blob storage?
然后,类似地,允许 web api 使用 Azure AD 进行身份验证,以便从 blob 存储中检索内容?
One example flow will be that a user logs in (in the vue js app), posts a file to my web api, which puts it in blob storage (azure).一个示例流程是用户登录(在 vue js 应用程序中),将文件发布到我的 web api,这会将其放入 blob 存储(天蓝色)。 An authenticated user can then later request this file (which needs to be restricted in azure to auth'd users only) and then return it to the authenticated client.
然后,经过身份验证的用户可以稍后请求此文件(需要在 azure 中将其限制为仅对经过身份验证的用户),然后将其返回给经过身份验证的客户端。
Am I over-thinking this?这是我想太多了吗? Is it a simple case of the web API authenticating with AD in Azure, receiving a token and forwarding that token onto the client to pass about?
它是 web API 在 Azure 中使用 AD 进行身份验证的简单案例,接收令牌并将该令牌转发给客户端以传递吗?
Your Vue app needs to handle the authentication using MSAL.js or ADAL.js.您的 Vue 应用程序需要使用 MSAL.js 或 ADAL.js 处理身份验证。 It can then acquire access tokens to your back-end API using the OAuth implicit flow.
然后,它可以使用 OAuth 隐式流获取后端 API 的访问令牌。
Your back-end API authenticates the caller using the JSON Web token they acquired.您的后端 API 使用他们获得的 JSON Web 令牌对调用者进行身份验证。
You can control which apps can call your API by defining scopes and app permissions on it, and then assigning them to apps that you want to have those accesses.您可以通过定义范围和应用程序权限来控制哪些应用程序可以调用您的 API,然后将它们分配给您希望拥有这些访问权限的应用程序。 Your API then needs to check the tokens that they have those permissions:)
您的 API 然后需要检查他们拥有这些权限的令牌:)
Permissions and consent: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent权限和同意: https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent
Front-end sign-in: https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-spa-sign-in前端登录: https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-spa-sign-in
Front-end acquire token: https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-spa-acquire-token前端获取令牌: https://docs.microsoft.com/en-us/azure/active-directory/develop/scenario-spa-acquire-token
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.